Opera has fixed a critical vulnerability in the GX Mods mechanism of its gaming browser Opera GX, which allowed a malicious website to install a browser mod without a single user click and then extract sensitive data — including the Gmail email address — from pages the victim visits. The fix shipped in version 130.0.5847.89; no CVE identifier has been assigned. According to the official Opera advisory, there is no evidence that the vulnerability has been exploited in real-world attacks, but a public PoC exploit is available. Opera GX users should make sure their browser is up to date by checking the version on the opera://about page.
Attack mechanics: from auto-installing a mod to data leakage
GX Mods is the customization system of Opera GX, which lets users change themes, sounds, wallpapers, and CSS styles of visited websites. Mods are distributed in .crx format (similar to extensions), but, according to the researchers, they cannot execute JavaScript and do not request permissions. The key issue lay in the installation pipeline: Opera would automatically download and activate a mod without asking the user for confirmation.
As described by researchers from Zhero Web Security, a malicious page could trigger the installation of a mod via a hidden iframe that pointed to a .crx file. The only visual indicator was a notification bar under the address bar with a “Remove” button, but the attack completed within seconds — before the user had time to read the notification.
On its own, injecting a “cosmetic” mod seems harmless, but the critical nuance is that the mod’s CSS is applied to all visited pages, not just a single one. The researchers called this universal CSS injection — as opposed to a regular CSS injection that is confined to a specific page. This concept extends previously documented techniques such as Blind CSS Exfiltration by PortSwigger, where CSS-based exfiltration is limited to a single site.
XS-Leak technique: character-by-character data extraction via CSS
CSS cannot directly read the contents of a page and send them to an external server. However, according to the researchers, attribute CSS selectors can be used to test whether the value of an HTML element’s attribute begins with a particular sequence of characters and, if it matches, to load a background image from the attacker’s server. By iterating over all possible combinations, an attacker can reconstruct the value character by character — a classic XS-Leak (cross-site leak) technique.
For their demonstration, the researchers targeted the myaccount.google.com/contactemail page, where the email address is present in three HTML attributes. The mod contained about 150,000 CSS rules covering all possible three-character fragments (trigrams) of the address. A script on the attacker’s side collected the matches and reconstructed the full address. Notably, the initial attempt with four-character fragments required about 5.6 million rules and ~880 MB of CSS, which caused the browser to fail.
The attack chain looked like this: the victim lands on the malicious page → the mod is installed within seconds → JavaScript redirects the browser to the Google Account page → the mod’s CSS is already active and, when the page is rendered, sends requests to the attacker’s server. The entire process did not require a single click.
Background: an ignored warning from 2023
Automatic installation of mods without confirmation was not a new problem. As researcher Renwa described back in 2023, the same behavior could be used to escalate an installed mod into a full-fledged extension and spoof the browser’s address bar. Opera fixed that specific address-bar spoofing vector but, according to the available information, left the basic auto-installation mechanism unchanged — and it is precisely this mechanism on which the new attack is built.
Additional vulnerability: crash in private mode
The researchers also documented a second, more brute-force vector: loading a .crx file in private (Incognito) mode caused the browser to crash, with all open tabs being lost. According to the researchers, this issue affected not only Opera GX but also the regular Opera browser, because any .crx file would trigger the extension installation pipeline. It is worth noting that Opera’s security advisory does not mention this issue, and there is no independent confirmation in available sources of its impact on regular Opera.
Disclosure process and severity assessment
According to the researchers, the disclosure process via the Bugcrowd platform did not go smoothly: triage analysts initially rated the vulnerability as P3 (medium severity). To demonstrate the real scale of the threat, the researchers intercepted trigrams of the analyst’s own data, reconstructed his Gmail address, and inserted it into the report. After that, the rating was raised to P1 (maximum severity), and the researchers were reportedly paid the maximum bounty of $5,000.
In its advisory, Opera characterizes the attack as difficult to carry out: the victim had to land on a malicious site, have a mod installed, and fail to click the removal button before the redirect completed. However, the researchers’ demonstration shows that the redirect triggered within seconds — faster than a user could read the notification.
Impact assessment
The vulnerability affected Opera GX users on versions prior to 130.0.5847.89. Although the proven PoC extracted only the Gmail address, the researchers note that the same approach can be applied to any values a site places in HTML attributes — usernames, identifiers, and other data. The Opera GX audience is geared toward gamers who actively use mods and customization, which makes social engineering aimed at luring them to a malicious page potentially more effective.
Recommendations
- Update Opera GX to version 130.0.5847.89 or later. Check your current version on the
opera://aboutpage. - Review the list of installed mods — remove any unfamiliar or unexpectedly appearing GX Mods.
- There are no workarounds other than updating: the attack required no user interaction, and blocking it at the settings level was not possible.
- Organizations that allow the use of Opera GX in a corporate environment should include this browser in their enforced update policies.
This case clearly demonstrates how a “harmless” customization feature — CSS styles without JavaScript and permissions — turns into a data-leak vector when its scope extends to all visited sites and installation occurs without user consent. Opera has fixed the specific vulnerability, but the broader architectural lesson is this: any mechanism that automatically injects content into the context of arbitrary web pages requires explicit user confirmation — regardless of how limited that content may seem.